Skip to content

Commit 8ff9865

Browse files
berezovskyiberezovskyi
committed
build: harden as per zizmor
1 parent 560c1cd commit 8ff9865

File tree

3 files changed

+14
-8
lines changed

3 files changed

+14
-8
lines changed

.github/workflows/main.yml

+10-6
Original file line numberDiff line numberDiff line change
@@ -119,7 +119,7 @@ jobs:
119119
- name: Pack NuGet packages (snapshot)
120120
shell: pwsh
121121
run: |
122-
dotnet pack -c Release -o ${{ env.NuGetDirectory }}
122+
dotnet pack -c Release -o $env:NuGetDirectory
123123
if: |
124124
success() && github.ref == 'refs/heads/main'
125125
&& matrix.version.target == 'net8.0' && matrix.os == 'windows-latest'
@@ -131,7 +131,7 @@ jobs:
131131
if ( $env:GITHUB_REF -match '^refs/tags/v(.*)$' ) {
132132
$VERSION=$matches[1]
133133
Write-Host $VERSION
134-
dotnet pack -c Release -p:RELEASE_VERSION=$VERSION -o ${{ env.NuGetDirectory }}
134+
dotnet pack -c Release -p:RELEASE_VERSION=$VERSION -o $env:NuGetDirectory
135135
} else {
136136
Write-Error "Failed to extract the version from env:GITHUB_REF"
137137
Exit 1
@@ -151,19 +151,23 @@ jobs:
151151
&& matrix.version.target == 'net8.0' && matrix.os == 'windows-latest'
152152
- name: Publish NuGet packages (GH/always)
153153
shell: pwsh
154+
env:
155+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
154156
run: |
155-
foreach($file in (Get-ChildItem "${{ env.NuGetDirectory }}" -Recurse -Include *.nupkg)) {
156-
dotnet nuget push $file --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate --no-symbols
157+
foreach($file in (Get-ChildItem $env:NuGetDirectory -Recurse -Include *.nupkg)) {
158+
dotnet nuget push $file --api-key $env:GITHUB_TOKEN --skip-duplicate --no-symbols
157159
}
158160
if: |
159161
success()
160162
&& matrix.version.target == 'net8.0' && matrix.os == 'windows-latest'
161163
&& (github.ref == 'refs/heads/main' || github.event_name == 'release' || inputs.release)
162164
- name: Publish NuGet packages (NuGet.org/release)
163165
shell: pwsh
166+
env:
167+
NUGET_APIKEY: ${{ secrets.NUGET_APIKEY }}
164168
run: |
165-
foreach($file in (Get-ChildItem "${{ env.NuGetDirectory }}" -Recurse -Include *.nupkg)) {
166-
dotnet nuget push $file --api-key "${{ secrets.NUGET_APIKEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate --no-symbols
169+
foreach($file in (Get-ChildItem $env:NuGetDirectory -Recurse -Include *.nupkg)) {
170+
dotnet nuget push $file --api-key $env:NUGET_APIKEY --source https://api.nuget.org/v3/index.json --skip-duplicate --no-symbols
167171
}
168172
if: |
169173
success()

.github/workflows/scorecard.yml

+2-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,8 @@ on:
1515
branches: [ "main" ]
1616

1717
# Declare default permissions as read only.
18-
permissions: read-all
18+
permissions:
19+
contents: read
1920

2021
concurrency:
2122
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

.github/workflows/sonarcloud.yml

+2-1
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,8 @@ on:
66
pull_request:
77
types: [opened, synchronize, reopened]
88

9-
permissions: read-all
9+
permissions:
10+
contents: read
1011

1112
concurrency:
1213
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

0 commit comments

Comments
 (0)